Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
2587b0ac4444dd2761ada35d66e712d0
-
SHA1
6e973a9949e1b25b06122891c37b353c3a65bc60
-
SHA256
6841e8e4988b6ddfcc7a88a325216bfdaf4a192468c0b1ed73c2515d00a9bde3
-
SHA512
a72a8f06628ce0294e0f8cbf076980098b5bae33756c453226a2402583bdf7e354c0fe7c2335baaebba6b9d85a42ffd733168c0c2115a85fc8ebbacf7559978d
-
SSDEEP
12288:kp1OePIskUpJT/2ctkka/6HfU4l69SnDOorGNO7c4KuTmvzKI3aCnEjBijKvnbd:GRtkk9HfhFnDOoLc4KDbmn
Malware Config
Extracted
formbook
3.8
xx
lingayatvivah.com
lassondefutureslab.com
wawahong.com
kgamdeyemyan.win
jiulong.store
madeforretoil.com
primesocialpresents.com
boyslutsvr.com
elvab.com
relative.properties
unitceramics.com
websolutionsassitance.com
firecleantextiles.info
usinggo.online
lnfc120.com
siglo-ftp-everis.com
chat-al3nabi.net
razorsharpbarber.com
caijingbizhi.com
sorice.tech
mlsjust1.com
makeharveypay.info
ahqkdz.com
xn--6oqz8vy81b.com
escuelasdemanejoencancun.com
xn--wv4bl9gupbn9pvye.com
zjgxxsl.com
activmonkeys.info
gwyfw.com
xn--o9j0bk7622a92se43dnbf.com
lnhvti.com
csunirea.com
jordanmfowler.com
63wv0coa.biz
deslacouture.com
mermaidhealing.com
thriftyshutters.net
mirzagara.biz
theartexchange.net
jahwood.com
systeme-dedieu.com
bashugou.com
yand.ltd
futurecarconcept.com
xz0371.com
toru.ltd
dostmekani.biz
ofhandyvergleichok.live
xhirafamal.com
travelmtalent.com
kerbigol.com
ecoverhome.com
manymaidsjax.com
vme-member.net
cryptousa.net
barrysullivan.net
preve.life
findwf.com
earthshatteredentertainment.com
alexanderjarl.com
tunechoice.com
mftz88.com
regalochocolate.com
productosdelimpiezavinagre.site
mansiobbok.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-0-0x0000000000403000-0x0000000000430000-memory.dmp formbook behavioral1/memory/2972-1-0x0000000000400000-0x000000000052B000-memory.dmp formbook -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2976 2972 WerFault.exe 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exepid process 2972 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exedescription pid process target process PID 2972 wrote to memory of 2976 2972 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe WerFault.exe PID 2972 wrote to memory of 2976 2972 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe WerFault.exe PID 2972 wrote to memory of 2976 2972 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe WerFault.exe PID 2972 wrote to memory of 2976 2972 2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2587b0ac4444dd2761ada35d66e712d0_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1762⤵
- Program crash
PID:2976